﻿<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
  <head>
    <title>Process Hacker Help</title>
    <style type="text/css">
body {
  font-family: "Cambria", "Times New Roman", Serif;
  font-size: 11pt;
}

dt {
  font-weight: bold;
}

pre {
  font-size: 10pt;
}
    </style>
  </head>
  <body>
    <p><em><strong>Process Hacker</strong></em></p>

    <h1 id="intro">Introduction</h1>
    <p>Process Hacker is a tool to view and manipulate processes, services and network connections. It is not intended 
    for system optimization, and general users may find many concepts referred to unfamiliar.</p>

    <h2>System Requirements</h2>
    <ul>
      <li>Microsoft Windows XP SP2, Vista or 7 (Windows XP SP3 and Windows Vista SP1 required for certain features)</li>
    </ul>

    <p>Note that some features may be unavailable on 64-bit systems. This includes:</p>
    <ul>
      <li>Bypassing rootkits and security software when accessing processes, threads and other objects.</li>
      <li>Viewing kernel pool limits</li>
      <li>Viewing hidden processes</li>
      <li>Changing handle attributes</li>
      <li>Viewing kernel-mode stack traces.</li>
    </ul>

    <h2>Configuration File</h2>
    <p>The settings file for Process Hacker is stored in: <code>[Roaming Application Data]\Process Hacker 2</code>.</p>

    <h2>Command Line Options</h2>
    <dl>
      <dt>-hide</dt>
      <dd>Starts Process Hacker hidden, regardless of any settings.</dd>
      <dt>-installkph</dt>
      <dd>Installs the KProcessHacker service.</dd>
      <dt>-nokph</dt>
      <dd>Disables KProcessHacker temporarily.</dd>
      <dt>-nosettings</dt>
      <dd>Uses defaults for all settings and does not attempt to load or save any settings.</dd>
      <dt>-settings filename</dt>
      <dd>Uses the specified file name as the settings file.</dd>
      <dt>-uninstallkph</dt>
      <dd>Uninstalls the KProcessHacker service.</dd>
      <dt>-v</dt>
      <dd>Starts Process Hacker visible, regardless of any settings.</dd>
    </dl>
    
    <h1 id="options">Options</h1>
    <p>Process Hacker's options are accessible from the <strong>Options</strong> menu item 
    in the <strong>Hacker</strong> menu.</p>
    
    <h2>General</h2>
    <dl>
      <dt>Search Engine</dt>
      <dd>This is used by the <strong>Search Online...</strong> menu item in the process and module 
      context menus. <code>%s</code> is replaced by the name of the selected process or module.</dd>
      
      <dt>PE Viewer</dt>
      <dd>This is used by the <strong>Inspect</strong> menu item for modules. <code>%s</code> is 
      replaced by the name of the selected module.</dd>
      
      <dt>Max. Size Unit</dt>
      <dd>Specifies the maximum unit of size; sizes which can be displayed as 1024 or less in a 
      smaller unit will be displayed in that smaller unit, while sizes requiring a larger unit will 
      use units up to the maximum unit specified here.</dd>
      
      <dt>Icon Processes</dt>
      <dd>The number of processes to display in the notification icon menu.</dd>
      
      <dt>Allow only one instance</dt>
      <dd>If enabled, Process Hacker will allow only one instance of itself. Any attempts to start 
      a new instance will show the existing instance.</dd>
      
      <dt>Hide when closed</dt>
      <dd>If enabled, Process Hacker will automatically hide itself when it is closed. You 
      can double-click on the notification icon to show Process Hacker.</dd>
      
      <dt>Hide when minimized</dt>
      <dd>If enabled, Process Hacker will automatically hide itself when it is minimized. You 
      can double-click on the notification icon to show Process Hacker.</dd>
      
      <dt>Start hidden</dt>
      <dd>If enabled, Process Hacker will start hidden. You can double-click on the notification 
      icon to show Process Hacker.</dd>
      
      <dt>Collapse services on start</dt>
      <dd>If enabled, Process Hacker will collapse the services.exe tree, hiding all services 
      at startup.</dd>
      
      <dt>Single-click icons</dt>
      <dd>If enabled, Process Hacker will show/hide itself with only a single click on its tray 
      icons. Otherwise, a double-click is needed.</dd>
      
      <dt>Enable process database</dt>
      <dd>If enabled, Process Hacker will provide additional features but will take longer to 
      start. Currently the only additional feature available is to mark processes as safe/unsafe.</dd>
    </dl>
    
    <h2>Advanced</h2>
    <dl>
      <dt>Enable warnings</dt>
      <dd>If disabled, Process Hacker will not show confirmation prompts for most actions.</dd>
      
      <dt>Enable kernel-mode driver</dt>
      <dd>Some handles cannot be displayed by a user-mode program like Process Hacker; this 
      option enables <em>KProcessHacker</em> which allows Process Hacker 
      to display all handles and bypass rootkits/security software. If enabled, it will be 
      loaded the next time Process Hacker is started. This currently has no effect on 64-bit 
      systems.</dd>
      
      <dt>Hide unnamed handles</dt>
      <dd>If enabled, unnamed handles will be hidden by default. This can be changed in each 
      process properties window.</dd>
      
      <dt>Replace Task Manager with Process Hacker</dt>
      <dd>If enabled, any attempt to start Task Manager will start Process Hacker instead.</dd>
    </dl>
    
    <h2>Symbols</h2>
    <dl>
      <dt>Dbghelp.dll path</dt>
      <dd>Select the path to the most recent version of dbghelp.dll you have 
      installed on your computer. If you do not have the latest version, go to 
      <code>http://www.microsoft.com/whdc/devtools/debugging/default.mspx</code> and 
      download Debugging Tools for Windows.</dd>
      
      <dt>Search path</dt>
      <dd>Type in a symbol server path. Most users will want to use the following: 
      <code>SRV*<strong>C:\Users\USERNAME\Symbols</strong>*http://msdl.microsoft.com/download/symbols</code>. 
      This will have any needed symbols downloaded from Microsoft's symbol server to 
      the specified directory (in bold).</dd>
      
      <dt>Undecorate symbols</dt>
      <dd>If enabled, C++ symbol names will be undecorated (unmangled). This is most 
      useful for methods with complex signatures.</dd>
    </dl>
    
    <h2>Highlighting</h2>
    <dl>
      <dt>Highlighting Duration</dt>
      <dd>This specifies the amount of time for which new and removed objects (processes, threads and services) 
      are highlighted in a different color.</dd>
      
      <dt>New Objects</dt>
      <dd>New processes, services, threads, modules, memory regions, and handles.</dd>
      
      <dt>Removed Objects</dt>
      <dd>Terminated/deleted processes, services, threads, modules, memory regions and 
      handles.</dd>
      
      <dt>Own Processes</dt>
      <dd>Processes running under the same user account as Process Hacker.</dd>
      
      <dt>System Processes</dt>
      <dd>Processes running under the SYSTEM user account.</dd>
      
      <dt>Service Processes</dt>
      <dd>Processes hosting one or more services.</dd>
      
      <dt>Job Processes</dt>
      <dd>Processes associated with a job object.</dd>
      
      <dt>POSIX Processes</dt>
      <dd>POSIX subsystem processes (also known as Subsystem for UNIX-based Applications).</dd>
      
      <dt>Debugged Processes</dt>
      <dd>Processes currently being debugged.</dd>
      
      <dt>Elevated Processes</dt>
      <dd>Processes running with full privileges on a computer with 
      User Account Control (UAC) enabled.</dd>
      
      <dt>Suspended Processes and Threads</dt>
      <dd>Processes and threads which have been suspended.</dd>
      
      <dt>.NET Processes and DLLs</dt>
      <dd>Managed (.NET) processes and DLLs/modules.</dd>
      
      <dt>Packed Processes</dt>
      <dd>Processes with packed images. These processes are sometimes malicious, but normal executables are 
      often packed to reduce their size.</dd>
      
      <dt>GUI Threads</dt>
      <dd>Threads which have made at least one GUI-related system call.</dd>
      
      <dt>Relocated DLLs</dt>
      <dd>DLLs which were not loaded at their preferred base address.</dd>
      
      <dt>Protected Handles</dt>
      <dd>Handles which are protected from being closed.</dd>
      
      <dt>Inherit Handles</dt>
      <dd>Handles which will be inherited by child processes.</dd>
    </dl>
    
    <h2>Graphs</h2>
    <dl>
      <dt>Show Text</dt>
      <dd>If disabled, Process Hacker will not show text representing the current usage for each graph.</dd>
    </dl>
    
    <h1 id="numberinput">Number Input</h1>
    <p>Process Hacker supports the input of numbers in various bases (including some non-standard
    extensions).</p>
    <p>A number is assumed to be in base 10 unless:</p>
    <ul>
      <li>It starts with <code>0</code> (zero) - octal (base 8)</li>
      <li>It starts with <code>0x</code> - hexadecimal (base 16)</li>
      <li>It starts with <code>b</code> - binary (base 2)</li>
      <li>It starts with <code>t</code> - ternary (base 3)</li>		
      <li>It starts with <code>q</code> - quaternary (base 4)</li>
      <li>It starts with <code>w</code> - base 12</li>				
      <li>It starts with <code>r</code> - base 32</li>
    </ul>
    
    <h1 id="proctree">Process Tree</h1>
    <p>The process tree displays processes running on the system as a tree; processes started by a 
    particular parent process are shown indented below it. Processes with a non-existent parent 
    (where its parent has terminated) are shown on the far left. You can manipulate processes by 
    right-clicking on them, and you can show detailed properties for a process by double-clicking 
    it or selecting the "Properties..." menu item.</p>
    
    <p>You can sort by the various columns by clicking on them - the tree view will temporarily 
    become a flat list. You can click the same column again to sort in the reverse order, and 
    once more to return to the tree view.</p>
    
    <p>Like Process Explorer, Process Hacker shows Deferred Procedure Calls (DPCs) and Interrupts 
    in the process tree. The only information these "processes" show is their CPU usage.</p>
    
    <h2>Process Tooltips</h2>
    <p>If you hover the mouse over a process' name, a tooltip appears with useful information:</p>
    <dl>
      <dt>Command Line</dt>
      <dd>The command line that was used to start the process.</dd>
      
      <dt>File Name</dt>
      <dd>The file name of the process.</dd>
      
      <dt>Known command line information</dt>
      <dd>This may include <strong>Service group name</strong> for svchost.exe processes, 
      <strong>Run DLL target file</strong> for rundll32.exe processes, and <strong>COM target</strong> 
      for dllhost.exe processes.</dd>
      
      <dt>Services</dt>
      <dd>A list of services which the process hosts.</dd>
      
      <dt>Notes</dt>
      <dd><em>Signer</em> - The process' file is digitally signed by the indicated entity.<br />
      <em>Image is probably packed</em> - The process' file has been determined to be packed.<br />
      <em>Console host</em> (Windows 7 and above only) - This is the process which hosts the console 
      window of the process.<br />
      <em>Process is managed (.NET)</em> - The process uses the .NET Framework.<br />
      <em>Process is elevated</em> (Windows Vista and above only) - The process is running with UAC 
      elevation.<br />
      <em>Process is in a job</em> - The process has an associated job.<br />
      <em>Process is POSIX</em> - The process is running under the POSIX subsystem.<br />
      <em>Process is 32-bit (WOW64)</em> (64-bit systems only) - The process is 32-bit.
    </dl>
    
    <h2>Context Menu</h2>
    
    <dl>
      <dt>Terminate</dt>
      <dd>Terminates the selected process(es). If KProcessHacker is enabled, Process Hacker 
      will, except under extraordinary circumstances, be able to terminate any process, 
      including ones protected by rootkits or security software.</dd>

      <dt>Terminate Tree</dt>
      <dd>Terminates the selected process and its descendants.</dd>

      <dt>Suspend</dt>
      <dd>Suspends the selected process(es). If KProcessHacker is enabled and running on 
      Windows Vista, Process Hacker will be able to suspend any process, including ones 
      protected by rootkits or security software.</dd>

      <dt>Resume</dt>
      <dd>Resumes the selected process(es). If KProcessHacker is enabled and running on 
      Windows Vista, Process Hacker will be able to resume any process, including ones 
      protected by rootkits or security software.</dd>
      
      <dt>Restart</dt>
      <dd>Restarts the selected process with the same command line arguments and working 
      directory.</dd>
      
      <dt>Debug</dt>
      <dd>Starts the debugger, specifying the selected process.</dd>
      
      <dt>Reduce Working Set</dt>
      <dd>Empties the selected process(es)' working set(s). 
      This is a safe function; the process will eventually reclaim most of its working set.</dd>
      
      <dt>Virtualization</dt>
      <dd>Allows you to enable or disable virtualization for the selected process, if allowed.</dd>
      
      <dt>Affinity</dt>
      <dd>Allows you to view and modify the process' CPU affinity (the CPUs on which it is allowed 
      to run).</dd>
      
      <dt>Create Dump File...</dt>
      <dd>Allows you to create a crash dump file for the process. This operation does not actually 
      cause the process to crash or terminate.</dd>
      
      <dt>Terminator</dt>
      <dd>A tool which tries to terminate the selected process using many different techniques.</dd>
      
      <dt>Detach from Debugger</dt>
      <dd>Detaches the process from any debugger. This will cause any attached debuggers to stop working.</dd>
      
      <dt>GDI Handles</dt>
      <dd>Shows the GDI objects owned by the process.</dd>
      
      <dt>Heaps</dt>
      <dd>Shows the heaps created by the process. Note that this action causes a temporary thread 
      to be created in the process and should be used with caution.</dd>
      
      <dt>Inject DLL...</dt>
      <dd>Allows you to select a DLL file (or any other PE image) that will be injected into 
      the selected process. This option is only available for processes running in the same 
      session as Process Hacker (usually processes in the same user account).</dd>
      
      <dt>I/O Priority</dt>
      <dd>Sets the process' I/O priority.</dd>

      <dt>Priority</dt>
      <dd>Sets the process' priority - Real Time, High, Above Normal, Normal, Below Normal, Idle.
      This option is not available when multiple processes are selected.</dd>
      
      <dt>Window</dt>
      <dd>Allows you to manipulate the process' window, if one was found. If the process does not 
      have any visible windows, the menu is disabled.</dd>
      
      <dt>Search Online</dt>
      <dd>Opens the default web browser with the search engine specified in Process Hacker's options.</dd>
    </dl>
    
    <h2>Terminator tests</h2>
    <dl>
      <dt>TP1</dt>
      <dd>Terminates the process using the NtTerminateProcess function.</dd>
      
      <dt>TP2</dt>
      <dd>Uses the RtlCreateUserThread function to create a thread in the process which calls 
      ExitProcess, terminating the process. On Vista and above, the thread calls 
      RtlExitUserProcess.</dd>
      
      <dt>TT1</dt>
      <dd>Terminates the process' threads by using the NtTerminateThread function.</dd>
      
      <dt>TT2</dt>
      <dd>Sets the contexts of the process' threads to point to the ExitProcess function. The 
      process will be terminated when one of the threads are context switched to.</dd>
      
      <dt>TP1a</dt>
      <dd>(Windows Server 2003 and above only.) Uses NtGetNextProcess to open a handle to the process and terminate it 
      using NtTerminateProcess.</dd>
      
      <dt>TT1a</dt>
      <dd>(Windows Server 2003 and above only.) Uses NtGetNextThread to open a handle to each of the process' threads and 
      terminates them using NtTerminateThread.</dd>
      
      <dt>CH1</dt>
      <dd>Uses NtDuplicateObject to close the process' handles. This method works best for 
      complex programs.</dd>
      
      <dt>W1</dt>
      <dd>Sends WM_DESTROY messages to the process' windows.</dd>
      
      <dt>W2</dt>
      <dd>Sends WM_QUIT messages to the process' windows.</dd>
      
      <dt>TJ1</dt>
      <dd>Creates a job, assigns the process to it, and terminates the job, terminating the process.</dd>
      
      <dt>TD1</dt>
      <dd>Creates a debug object, assigns the process to it, and closes the debug object, 
      terminating the process.</dd>
      
      <dt>TP3</dt>
      <dd>Uses the internal kernel-mode function PsTerminateProcess to terminate the process.</dd>
      
      <dt>TT3</dt>
      <dd>Uses the internal kernel-mode function PspTerminateThreadByPointer to terminate the process' 
      threads.</dd>
      
      <dt>TT4</dt>
      <dd>Queues a kernel-mode special asynchronous procedure calls (APCs) to each of the process' threads. 
      This APC calls PspTerminateThreadByPointer to directly terminate the threads. This method will 
      terminate threads hanging due to kernel-mode code, but the system may crash or freeze because 
      kernel-mode code is not given the chance to release any resources. <strong>Use this option with 
      extreme caution.</strong></dd>
      
      <dt>M1</dt>
      <dd>Uses NtWriteVirtualMemory to write random data to the process' memory, crashing the process.</dd>
      
      <dt>M2</dt>
      <dd>Uses NtProtectVirtualMemory to prevent the process' pages from being used, crashing the process.</dd>
    </dl>
    </h2>

    <h1 id="procprops">Process Properties</h1>
    <dl>
      <dt>General</dt>
      <dd>Displays basic information about the process and its image file. You can also view/change its 
      DEP status, and protect/unprotect it (requires Windows Vista and above).</dd>
      
      <dt>Statistics</dt>
      <dd>Displays statistics and performance information.</dd>
      
      <dt>Performance</dt>
      <dd>Displays three graphs relating to the process' performance - CPU Usage, 
      Private Bytes, and I/O activity. You can hover your mouse over the graphs to view details.</dd>
      
      <dt>Threads</dt>
      <dd>Displays the process' threads, including their symbolic start addresses. You can click on 
      a thread to view more information, or double-click a thread to view its call stack.</dd>
      
      <dt>Token</dt>
      <dd>Displays the process' primary token. You can also enable and disable privileges by 
      right-clicking on them.</dd>
      
      <dt>Modules</dt>
      <dd>Displays the modules loaded by the process. Right-click a module for more options.</dd>
      
      <dt>Memory</dt>
      <dd>Displays the process' virtual memory regions. Double-click a memory region to 
      read/write its contents, and right-click a memory region to perform other actions. You can 
      click the <strong>Strings...</strong> button to perform a string scan.</dd>
      
      <dt>Environment</dt>
      <dd>Displays the process' environment variables.</dd>
      
      <dt>Handles</dt>
      <dd>Displays the process' handles - resources it has opened. You can right-click a handle and 
      close it.</dd>
      
      <dt>Job</dt>
      <dd>Displays information about the process' associated job.</dd>
      
      <dt>Services</dt>
      <dd>Displays services that are registered in the process. You can double-click a service to 
      view and edit its properties.</dd>
    </dl>
    
    <h1 id="glossary">Glossary</h1>
    <dl>
      <dt>Affinity</dt>
      <dd>The set of processors on which a thread or collection of threads (process) is allowed to 
      execute on.</dd>
      <dt>ALPC</dt>
      <dd>Asynchronous Local inter-Process Communication. A replacement for LPC introduced in Windows 
      Vista.</dd>
      <dt>ALPC Port (Object)</dt>
      <dd>An ALPC object that can be opened in order to communicate with another process.</dd>
      <dt>Child Process</dt>
      <dd>A new process started by an existing one.</dd>
      <dt>Command Line</dt>
      <dd>A <em>string</em> describing a program to start and any parameters to pass to it. Examples: 
      <code>C:\Windows\notepad.exe C:\Windows\win.ini</code>, <code>cmd /TF0</code></dd>
      <dt>Commit</dt>
      <dd>A committed page or memory region contains actual data. Compare with <em>reserve</em>.</dd>
      <dt>Context Switch</dt>
      <dd>The act of switching a processor to run another thread. Since processors can only run one task 
      at a time, context switching gives the illusion of multi-tasking.</dd>
      <dt>Data Execution Prevention</dt>
      <dd>The Windows implementation of NX (No eXecute) technology, designed to prevent the execution of data 
      regions as code. This can prevent certain types of software attacks.</dd>
      <dt>Directory (Object)</dt>
      <dd>A "directory" in the NT object manager. These have nothing to do with files and folders, although 
      through the object manager all kinds of objects are accessed, including the file system and registry.</dd>
      <dt>DLL</dt>
      <dd>An executable <em>image</em> which can be loaded by processes. Through this mechanism, code and resources 
      may be shared. Note that the file extension ".dll" is not required; processes can load images with any 
      extension.</dd>
      <dt>Driver</dt>
      <dd>An executable <em>image</em> which can be loaded into and executed in <em>kernel-mode</em>. This provides 
      drivers with low-level access to the system. This is required for hardware drivers and security software, but is 
      a mechanism through which most rootkits take control of a computer.</dd>
      <dt>Elevation (UAC)</dt>
      <dd>Under UAC, a process which is elevated has full administrative rights to system resources.</dd>
      <dt>Environment Variable</dt>
      <dd>A variable accessible to processes describing the operating system environment. Environment variables 
      are normally inherited by <em>child processes</em>.</dd>
      <dt>EtwRegistration (Object)</dt>
      <dd>An object used by Event Tracing for Windows.</dd>
      <dt>GDI</dt>
      <dd>Graphics Device Interface. This is a system which provides basic graphics support for programs.</dd>
      <dt>GDI Handles/Objects</dt>
      <dd>GDI allows programs to create drawing-related objects such as Bitmaps, Brushes, and Palettes.</dd>
      <dt>Handle</dt>
      <dd>A reference to a shared operating object or resource, e.g. a handle to an event, file or process.</dd>
      <dt>Handle leak</dt>
      <dd>Occurs when a program does not release its handles, leading to increased consumption of resources and 
      even crashes.</dd>
      <dt>Heap</dt>
      <dd>A process-managed structure from which memory can be allocated. Since <em>pages</em> can only be 
      allocated in large chunks, using a heap will reduce wastage of memory for small allocations.</dd>
      <dt>Image</dt>
      <dd>A "package" containing executable code.</dd>
      <dt>Interrupt</dt>
      <dd>An event, usually signaled by hardware, that is handled by the operating system through a 
      <em>interrupt handler</em>.</dd>
      <dt>Key (Object)</dt>
      <dd>A registry key.</dd>
      <dt>Kernel</dt>
      <dd>A collection of code that manages system-wide resources such as I/O, processes and threads, and 
      security. System calls are also handled by the kernel.</dd>
      <dt>Kernel-mode</dt>
      <dd>A processor mode in which code can access hardware directly and access all memory. For example, when 
      a <em>system call</em> is made, the processor switches to kernel-mode in order to perform an action on 
      the requester's behalf. When the system call finishes, it switches back to user-mode and the requester 
      continues normal execution.</dd>
      <dt>Kernel-mode thread</dt>
      <dd>A thread that runs solely in kernel-mode. These are usually worker threads that carry out delayed 
      operating system tasks. Most kernel-mode threads are contained in the System process, but csrss.exe also 
      runs kernel-mode threads.</dd>
      <dt>LPC</dt>
      <dd>Local inter-Process Communication (not Local Procedure Call). A Windows NT mechanism which enables 
      processes to communicate with each other. Primary consumers are system services and RPC.</dd>
      <dt>LUID</dt>
      <dd>Locally Unique IDentifier. A value which is unique on the local system until it is rebooted.</dd>
      <dt>Module</dt>
      <dd>See <em>DLL</em>.</dd>
      <dt>Mutant (Object)</dt>
      <dd>A mutex object. Win32 calls these objects mutexes, while in the Native API they are called mutants.</dd>
      <dt>Page</dt>
      <dd>A block of memory, 4 kB in size on x86 and AMD64 processors.</dd>
      <dt>PEB</dt>
      <dd>Process Environment Block. The PEB contains a variety of data used by the process.</dd>
      <dt>Privilege</dt>
      <dd>A privilege belonging to a process. It can be enabled or disabled, and certain system calls require 
      the presence of specific privileges to work.</dd>
      <dt>Process</dt>
      <dd>A collection of <em>threads</em> along with virtual memory, <em>handles</em> and other resources.</dd>
      <dt>Protection (DRM)</dt>
      <dd>Process and thread protection introduced in Windows Vista, designed to enhance support for digital 
      restrictions management. Examples of processes protected by this mechanism include System and audiodg.exe.</dd>
      <dt>Reserve</dt>
      <dd>A reserved page or memory region does not contain data and has not been allocated storage in physical 
      memory. Reserving pages is commonly done to ensure a certain amount of contiguous address space is available 
      without actually allocating storage. Compare with <em>commit</em>.</dd>
      <dt>Section (Object)</dt>
      <dd>A block of memory that can be mapped into a process' address space. The data for this block of memory can 
      be temporary ("backed" by the pagefile) or can come from a file ("backed" by a file, i.e. file mapping). Win32 
      calls these objects "file mappings".</dd>
      <dt>Service</dt>
      <dd>A operating system managed program which runs in the background. They can be in shared processes 
      (in svchost.exe instances), in separate processes, or drivers loaded into kernel-mode space.</dd>
      <dt>SID</dt>
      <dd>Security IDentifier. A unique identifier assigned to security-related objects such as users and groups.</dd>
      <dt>String</dt>
      <dd>A sequence of characters - text.</dd>
      <dt>System Call</dt>
      <dd>A request that is made by a thread to the <em>kernel</em> to perform a task on the thread's behalf. This done 
      because most threads run in user-mode and are unable to access hardware directly. See <em>kernel-mode</em>.</dd>
      <dt>System Thread</dt>
      <dd>See <em>kernel-mode thread</em>.</dd>
      <dt>Thread</dt>
      <dd>A unit of execution belonging to a process, running code concurrently. Most threads run in <em>user-mode</em>, 
      but some are <em>kernel-mode threads</em>.</dd>
      <dt>TmEn (Object)</dt>
      <dd>Enlistment objects (for the transaction manager).</dd>
      <dt>TmRm (Object)</dt>
      <dd>Resource Manager objects (for the transaction manager).</dd>
      <dt>TmTm (Object)</dt>
      <dd>Transaction Manager objects. These have an associated log file.</dd>
      <dt>TmTx (Object)</dt>
      <dd>Transaction objects (for the transaction manager).</dd>
      <dt>User Account Control</dt>
      <dd>Refers to restrictions on normal processes preventing them from modifying system-wide files and settings. 
      Processes which are <em>elevated</em> have full administrative access to system resources.</dd>
      <dt>Virtualization (UAC)</dt>
      <dd>A technology which redirects writes to the file system and registry for processes which are not 
      <em>elevated</em>.</dd>
      <dt>Working set</dt>
      <dd>The collection of <em>pages</em> recently referenced by a process. These pages are in physical 
      memory, while other pages may be in the pagefile.</dd>
      <dt>WOW64</dt>
      <dd>A technology which enables 32-bit programs to run on 64-bit Windows systems.</dd>
    </dl>
    
    <h1 id="copyright">Copyright Information</h1>
    <h2>Process Hacker</h2>
    <pre>
      Process Hacker

      Copyright (C) 2009-2010 wj32 and various authors

      This program is free software: you can redistribute it and/or modify
      it under the terms of the GNU General Public License as published by
      the Free Software Foundation, either version 3 of the License, or
      (at your option) any later version.

      This program is distributed in the hope that it will be useful,
      but WITHOUT ANY WARRANTY; without even the implied warranty of
      MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      GNU General Public License for more details.

      You should have received a copy of the GNU General Public License
      along with this program.  If not, see &lt;http://www.gnu.org/licenses/&gt;.</pre>
    
    <h2>MD5</h2>
    <p>Process Hacker uses a MD5 implementation licensed under the following terms:</p>
    <pre>MD5 hash implementation and interface functions
Copyright (c) 2003-2005, Jouni Malinen <jkmaline@cc.hut.fi>

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License version 2 as
published by the Free Software Foundation.</pre>
    
    <h2>SHA</h2>
    <p>Process Hacker uses a SHA implementation licensed under the following terms:</p>
    <pre>Copyright 2004 Filip Navara
Based on public domain SHA code by Steve Reid <steve@edmweb.com>

This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.

This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
Lesser General Public License for more details.

You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA</pre>
    
    <h2>PCRE</h2>
    <p>Process Hacker uses Perl-Compatible Regular Expressions licensed under the 
    following terms:</p>
    <pre>PCRE is a library of functions to support regular expressions whose syntax
and semantics are as close as possible to those of the Perl 5 language.

Release 8 of PCRE is distributed under the terms of the "BSD" licence, as
specified below.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:

    * Redistributions of source code must retain the above copyright notice,
      this list of conditions and the following disclaimer.

    * Redistributions in binary form must reproduce the above copyright
      notice, this list of conditions and the following disclaimer in the
      documentation and/or other materials provided with the distribution.

    * Neither the name of the University of Cambridge nor the name of Google
      Inc. nor the names of their contributors may be used to endorse or
      promote products derived from this software without specific prior
      written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.</pre>
    
    <h2>Mini-XML</h2>
    <p>Process Hacker uses Mini-XML licensed under the following terms:</p>
    <pre>The Mini-XML library and included programs are provided under the
terms of the GNU Library General Public License (LGPL) with the
following exceptions:

    1. Static linking of applications to the Mini-XML library
       does not constitute a derivative work and does not require
       the author to provide source code for the application, use
       the shared Mini-XML libraries, or link their applications
       against a user-supplied version of Mini-XML.

       If you link the application to a modified version of
       Mini-XML, then the changes to Mini-XML must be provided
       under the terms of the LGPL in sections 1, 2, and 4.

    2. You do not have to provide a copy of the Mini-XML license
       with programs that are linked to the Mini-XML library, nor
       do you have to identify the Mini-XML license in your
       program or documentation as required by section 6 of the
       LGPL.</pre>
  </body>
</html>
